Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: iptables: block/allow ftp
Special Forums Cybersecurity iptables: block/allow ftp Post 18686 by sTorm on Tuesday 2nd of April 2002 01:54:08 AM
Old 04-02-2002
These two lines are just for the control connection. For the data transfer, two more lines have to be added:

iptables -A FORWARD -i $eth0 -o $eth1 -p TCP --sport ftp-data --dport 1024:65535 -j ACCEPT
iptables -A FORWARD -i $eth1 -o eth0 -p TCP --sport 1024:65535 --dport ftp-data -j ACCEPT

This is for the active mode.
If you want to use passive mode, change the port from "ftp-data" to "1024:65535" in the two lines above. Although I didn't try it, it should work fine.
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

iptables, ftp

I have allready opened a thread about this, but my question was really weird formed, so I'm writting it here again: I have a Network with 4 FTP Servers, then a firewall, and then a Network with clients. The clients should have access to the FTP Servers, but it should not be possible to connect... (2 Replies)
Discussion started by: sTorm
2 Replies

2. Shell Programming and Scripting

FTP inside a block of code

I need help on the code below. I am getting a compile error syntax error at line 283 : `<<' unmatched Looks like it doesn't like the << on the ftp line below. If I ran the code outside of this block everything work fine, but when I put in a block of code or in a function, I got syntax error. I... (1 Reply)
Discussion started by: leemjesse
1 Replies

3. Solaris

Want to block ftp for root user

Hi Friends, I would like to block the root user for doing ftp. As I am aware that I need to put the entry for root in /etc/ftpusers.....am I right...??? But I am not able to edit the file & even more command is not working. #ls -l ftp* total 14 -rw-r--r-- 1 root sys 1249 Jun... (3 Replies)
Discussion started by: jumadhiya
3 Replies

4. UNIX for Dummies Questions & Answers

How to block an anonymous ftp user?

Could anyone provide information on how to block a specific client machine from being able to log onto anonymous ftp? (10 Replies)
Discussion started by: dennisheazle
10 Replies

5. Shell Programming and Scripting

Block incoming traffic FTP from internet using iptables

Hi everybody. I have the next scenary: eth0: WAN eth1: DMZ eth2: LAN I need to block all incoming trafic from the internet through my network LAN using iptables. I have squid but i need to do this using ipatbles. I have been listening about iptables -A FORDAWARD but I am stuck right... (0 Replies)
Discussion started by: edeamat
0 Replies

6. AIX

Block users ftp service

Hello everyone I create a file /etc/ftpusers to block users. I put the names of the users and I refresh the service inetd. My question is the user still log in by ftp.???? What I miss Thanks for your opinions. Greetings (2 Replies)
Discussion started by: lo-lp-kl
2 Replies

7. UNIX for Dummies Questions & Answers

iptables-ftp

I have set up a firewall on my centOS 5.6 box. I copied it from info I found online related to web servers. Everything seems to work fine but my ftp from my LAN. I am not able to ftp into the directories at all. I have the box set up as a test web server. Here is my iptable: I have opened ports... (7 Replies)
Discussion started by: ktb231
7 Replies

8. Red Hat

iptables ftp denies ls

Hi, Following is the output of iptables -S command -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A INPUT -s 192.168.0.5/32 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s 192.168.0.5/32 -p udp -m udp --dport 22 -j ACCEPT -A INPUT -s 192.168.0.0/24 -p udp -m udp --dport 20 -j... (3 Replies)
Discussion started by: shahdharmit
3 Replies

9. IP Networking

vsftp | active and passive ftp | iptables

I am using vsftp but I can't login with passive mode. I can only login with active mode. I can login with both mode when service of iptables is stop. In active mode : 20,21 must be open from server site. 1023 and over must be open at client site. In passive mode : only 21,1023 and over must be... (1 Reply)
Discussion started by: getrue
1 Replies

10. IP Networking

iptables problem with ftp

I have a pretty stock iptables script. One rule allows active ftp from an outside IP address. To troubleshoot it, I opened up ftp to all connections from the outside. When a user outside our domain connects via FTP, they are denied. If I flush the rules, the ftp takes place successfully. This... (2 Replies)
Discussion started by: bricoleur
2 Replies

LEARN ABOUT DEBIAN

filter_syntax

FILTER 
SYNTAX(5)						File Formats Manual						  FILTER SYNTAX(5)

NAME

       rules.filter - Input format for filtergen packet filter compiler

INTRO

       This file describes the input syntax accepted by filtergen(8).

BASICS

       In general form, a filter rule is described by a direction, an interface, a target and (possibly empty) sets of matches and options.

       Simple rules will look like:

       direction interface match0 .. matchN target;

       for example:

       input eth0 source host1 dest host2 proto tcp dport http accept;

       Note that the elements of the rule can be placed in any order, with the exception that the interface must immediately follow the direction.
       Thus, this rule is equivalent to the above (though perhaps less readable):

       proto tcp source host1 dport http accept dest host2 input eth0;

       The semicolon separates rules.  It is optional before a closing brace or the end of a file.  Whitespace is not significant.  Anything after
       a hash ("#") on a line is ignored.

   DIRECTION
       A  direction merely specifies whether to match packets being sent or received.  The only two directions available are "input" and "output".
       Forwarded packets will pass through both,

   INTERFACE
       This specifies which real or virtual network device to filter.  As far as filtergen is concerned, this is just a text string.  It  must	be
       the  same  as  the  device name on the target system.  Common names on Linux are "eth0", "eth1", ..., "ppp0", etc.  Other systems will have
       different naming rules.

   TARGET
       A target notes what we do with a matching packet.  Universal options are accept and drop which, respectively, state that the packet  should
       be allowed as normal, or thrown away.  Some backends support reject to throw away a packet, but send notification to the sender that it was
       denied, masq (on output rules only) to "masquerade" a packet - alter it so that it appears to come from the address of the  sending  inter-
       face - and proxy (and its deprecated alias redirect) to divert a connection via the local system.

   MATCHES
       The matches are the meat of the rule.  They apply a set of tests to a packet and decide if this rule will be used to process it.  Available
       matches are:

       source addr-range dest addr-range

       proto {tcp|udp|icmp|...} sport port-range dport port-range icmptype icmp-type

       Matches can be negated by prefixing them with a "!":

	    input eth0 ! dest 10.0.0.3 reject;

       (note than not all backends can support this).

   OPTIONS
       Options affect the behaviour of the matcher or the target.  Currently implemented are log, which logs packets, local, which means  only	to
       check packets to or from this interface, forward which means the opposite of local, and oneway which causes the backend to omit rules which
       permit return packets.

       The log option can optionally specify a message to log matching packets with, where the backend supports it:

	    input eth0 source {
		 10.0.0.0/8 192.168.0.0/16
	    } log text "private addresses" drop;

       Note that the oneway option make have no effect when used with the -l command-line flag on backends which support it.

GROUPING

       Because it can get tedious to type:

	    input eth0 source foo dest bar proto tcp dport http accept;
	    input eth0 source foo dest bar proto tcp dport https accept;
	    input eth0 source foo dest bar proto tcp dport nntp accept;
	    input eth0 source foo dest bar proto tcp sport 1:1023 dport ssh accept;
	    ...

       filter allows you to group rules with a set syntax:

	    input eth0 source foo dest bar proto tcp {
		 dport http;
		 dport https;
		 dport nntp;
		 sport 1:1023 dport ssh;
	    } accept;

       Matches which accept arguments can also be grouped:

	    input eth0 source foo dest bar proto tcp {
		 dport {http https nntp};
		 sport 1:1023 dport ssh;
	    } accept;

OUT-OF-LINE GROUPS
       It is commonly the case that both hosts and routers have long lists of similar looking rules to allow traffic between groups of	hosts,	as
       above.  What if we had another pair of hosts which needed a variety of services?  We could simply put the rule groups one after the other:

	    input eth0 source foo dest bar proto tcp {
		 dport {http https nntp};
		 sport 1:1023 dport ssh;
	    } accept;
	    input eth0 source baz dest quux proto tcp {
		 dport {1264 1521 1984 8008 8080 26000};
	    } accept;

       The above generates 11 rules, and every additional port adds another rule through which packets will pass (well, ones which don't match any
       of the above).  The first four output rules have the same source and destination hosts and protocol, and we know that if it  doesn't  match
       those on the first rule, it won't on the next three, either.  Out-of-line groups  use this fact to streamline things somewhat:

	    input eth0 source foo dest bar [
		 proto tcp {
		      dport {http https nntp};
		      sport 1:1023 dport ssh;
		 } accept;
	    ];
	    input eth0 source baz dest quux [
		 proto tcp { dport {1264 1521 1984 8008 8080 26000}; } accept;
	    ];

       Where  the underlying system supports it, everything inside the square brackets is moved into a separate "chain" (in ipchains and iptables-
       speak) or "group" (in ipfilter-speak).  Thus, any packet not matching "source foo dest bar" or "source baz dest quux" above will be checked
       against only two rules, not eleven.

       Note that matches which must appear together, like "proto tcp" and "sport 12345" need to be either both in the group, or both out of it.

EXAMPLE

       Here's a fairly complete example, for a single-interface machine:

	    #
	    # Example filter for (for example) a mail server
	    #

	    # Unfortunately, we don't have time to audit the
	    # communications which go on locally
	    {input lo; output lo} accept;

	    # But we want to be a bit more careful when speaking
	    # to the outside world
	    input eth0 {
		 # Sadly, we share a DMZ with Windows machines.
		 # Don't log their netbios noise
		 proto {tcp udp} source ournet/24 dport 137:139 drop;

		 proto tcp {
		      dport { smtp pop-3 } accept;
		      dport ssh source ournet/24 accept;
		      # We don't answer this, but don't want to
		      # cause timeouts by blocking it
		      dport auth reject;
		      log drop;
		 };
		 # We don't run any UDP (or other non-TCP)
		 # services
		 log drop;
	    };
	    output eth0 {
		 proto tcp {
		      dport { smtp auth } accept;
		      log drop;
		 };
		 # Outbound DNS is OK
		 proto udp dport domain dest { ns0 ns1 } accept;
		 log drop;
	    };

SEE ALSO

       filtergen(8), filter_backends(7)

								  January 7, 2004						  FILTER SYNTAX(5)
All times are GMT -4. The time now is 04:56 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy